{"id":593,"date":"2026-04-14T11:56:40","date_gmt":"2026-04-14T11:56:40","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=593"},"modified":"2026-04-14T11:56:40","modified_gmt":"2026-04-14T11:56:40","slug":"mirax-android-rat-turns-devices-into-socks5-proxies-reaching-220000-via-meta-ads","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=593","title":{"rendered":"Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads"},"content":{"rendered":"
\n
<\/a><\/div>\n

A nascent Android remote access trojan\u00a0called Mirax<\/strong> has been observed actively targeting Spanish-speaking countries, with campaigns reaching more than 220,000 accounts on Facebook, Instagram, Messenger, and Threads through advertisements on\u00a0Meta.<\/p>\n

\u00abMirax integrates advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real time,\u00bb Italian online fraud prevention firm\u00a0Cleafy said<\/a>.<\/p>\n

\u00abBeyond traditional RAT behavior, Mirax enhances its operational value by turning infected devices\u00a0into residential proxy\u00a0nodes<\/a>. Leveraging SOCKS5 protocol support and Yamux multiplexing, it establishes persistent proxy channels that allow attackers to route their traffic through the victim’s real IP\u00a0address.\u00bb<\/p>\n

Details of\u00a0Mirax first\u00a0emerged last month when Outpost24’s KrakenLabs revealed that a threat actor going by the name \u00abMirax Bot\u00bb has been advertising a private malware-as-a-service (MaaS) offering on underground forums for $2,500 for a three-month subscription. Also\u00a0available for $1,750 per month is a lightweight variant that removes certain features like the proxy and the ability to bypass Google Play Protect using\u00a0a crypter.<\/p>\n

Like other Android malware, Mirax supports the ability to capture keystrokes, steal photos, gather lock screen details, run commands, navigate the user interface, and monitor user activity on the compromised device. It\u00a0can also dynamically fetch HTML overlay pages from a command-and-control (C2) server to be rendered over legitimate applications for credential\u00a0theft.<\/p>\n

The incorporation of a SOCKS proxy, on the other hand, is a relatively lesser-known feature that sets it apart from conventional RAT behavior. The\u00a0proxy botnet offers several advantages in that it allows threat actors to get around geolocation-based restrictions, evade fraud detection systems, and conduct account takeovers or transaction fraud under the guise of increased anonymity and legitimacy.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abUnlike typical MaaS offerings, Mirax is distributed through a highly controlled and exclusive model, limited to a small number of affiliates,\u00bb researchers Alberto Giust, Alessandro Strino, and Federico Valentini said. \u00abAccess appears to be prioritized for Russian-speaking actors with established reputations in underground communities, indicating a deliberate effort to maintain operational security and campaign effectiveness.\u00bb<\/p>\n

Attack chains distributing the malware use Meta ads to promote dropper app web pages, tricking unsuspecting users into downloading them. As\u00a0many as six ads have been\u00a0observed actively advertising<\/a> a streaming service with free access to live sports and movies. Of\u00a0these, five ads are directed against users in Spain. One\u00a0of the ads, which started running on April 6, 2026, has a reach of 190,987\u00a0accounts.<\/p>\n

\"\"<\/a><\/div>\n

The dropper app URLs implement a number of checks to ensure that they are accessed from mobile devices and to prevent automated scans from revealing their true color. The\u00a0names of the malicious apps are listed below\u00a0–<\/p>\n